“We do not store Bitcoin for ransomware and do not make payments to recover data,” says Jim Routh, chief security officer at Hartford, Conn.-based Aetna, one of the nation's leading diversified healthcare benefits companies.

Saying no to ransom demands, backing up all data in the enterprise, training employees on how to detect and react to spear phishing emails (which is how 91 percent of cyber attacks originate), and more timely patching (software updates), are the best practices that many IT security leaders are following.

Companies buy Bitcoin in case of attack

However, battening down the hatches to protect against hackers is easier said than done — and businesses are hardly devoid of Bitcoin — much as it can be argued by many experts for an alignment to Routh's thinking.

A disturbing trend is brewing in the U.K., where organizations are seemingly more likely to pay ransoms.

“About a third of mid-sized British companies report having Bitcoin on hand to respond to ransomware emergencies when other options can't be immediately exhausted,” says Gotham Sharma, managing director at Exeltek Consulting Group, a New York City-based consulting firm specializing in cybersecurity and digital privacy.

“Interestingly, the percentage of British companies who don't regularly back up data is also about a third,” adds Sharma.

John McAfee — his last name synonymous with antivirus software — has turned his attention to stockpiling cryptocurrency over the past year. The Chief Cybersecurity Visionary at MGT Capital Investments says many companies are storing Bitcoin in the event of a ransomware attack, but they won’t say so publicly.

Still, Cybersecurity Ventures' research indicates the overall number of businesses willing to pay a ransom is declining.

Seeing the potential for massive payouts, hackers have been innovating (new ransomware) furiously, according to a recent CSO article. That’s not likely to wane until the ransom payouts stop altogether.

Visit SteveOnCyber.com to read all of my blogs and articles covering cybersecurity.